Proposing a new netgraph nodetype: ng_antispoof

mms

New Member

Reaction score: 3
Messages: 18

I would like to find the appropriate place to discuss my idea for a new netgraph node type that filters traffic based on ethernet and IP address.

As a snippet sometimes says more than a thousand words, here it is for the gist of it:
Code:
ngctl mkpeer ngeth0: antispoof ether filter
ngctl name ngeth0:ether as
ngctl msg as: addinet '{ ether=0a:00:de:ad:be:ef ip_addr=192.168.42.1 }'

This would block any traffic that is addressed to or originates from ngeth0 that refers to that interface with a different ethernet or IP address as the ones indicated above.

My motivation for this is based on the desire to prevent VNET jails from spoofing, the the lack of L2 support (and other peculiarities) by pf(4) and some interesting behavior I have observed regarding bridge(4) with added epair(4) interfaces.

Note that I am not here for advice on using ipfw(8) instead of pf. So please don't.

I have already implemented the node type as a proof of concept and played with it a bit. So I'm not really here for advice on how to implement something like this, but rather on how to kick off a discussion and where the appropriate place for this would be (freebsd-net or any other mailinglist, forum, ...). I have to admit that after looking into the developer handbook and other sources I am still not sure what the process for creating a new kernel module looks like in terms of the FreeBSD community. So any guidance is highly appreciated.

Maybe this is already the place to be, in which case I will happily present a more detailed case and ask for advice on certain details I can't seem to make my mind up. :)
 

George

Aspiring Daemon

Reaction score: 203
Messages: 510

It's not guaranteed that you get an answer in the mailing lists. But it's your best bet, if you want to get in contact with the developers.
There is also this wiki. https://wiki.freebsd.org/TomMarcoen/JailNetworking

If you have a very concrete idea, you can post it in bugs.freebsd.org, and label it as request, or patch idea.

reviews.freebsd.org is the place if you have already written the code, and want to submit it.
 
OP
M

mms

New Member

Reaction score: 3
Messages: 18

Thank you a lot!
I've subscribed to the mailing lists and posted my current draft on bugs.freebsd.org: PR 249275.

I will have a look at reviews.freebsd.org as soon as my account has been activated.
 

Mjölnir

Daemon

Reaction score: 1,503
Messages: 2,114

The proposed functionality is already provided by ng_bpf(4)).
I wanted to ask: "how?", but that's described in the review :) Even if your propposed work was abandoned, you seem to have found & fixed a bug, that's great! And very likely you learned much while coding, so your efforts were not in vain.
 
Top